rooting Pace 5268AC router

From Ample Panda, 3 Years ago, written in Plain Text.

Embed

Download Paste or View Raw
Hits: 338

Getting root console on Pace 5268AC ATT router (aka RG: Residential Gateway)

(warning: super advanced hackers only at this point)

Assumes you are familiar with advanced device hacking, e.g. soldering, serial uarts, linux, etc.

Assumes you know how to run a mips binary on an intel pc, e.g. w/ qemu-mips-static

Assumes you know how to binwalk/unpack att firmware, and explore their squashfs roots, etc.

Assumes you can use Cutter to disassemble mips binaries/libs, and generally understand what is going on

First of all, if you don't understand any of this - STOP - wait til others explore the cave safely and install guideropes (i.e. easier methods).

You can and/or will likely brick your router, etc. Pick up a used router on ebay to experiment with.

If you are a foolish adventurer, continue on.

You'll probably want to keep the router disconnected from internet/att WAN til you have what you want. When you connect it back up, it will want to auto-upgrade back to latest version which likes to disable dropbear sshd, disable serial console, remove rma user, etc. ;)

1. Get access to console serial port. RX/TX are pins 13 & 15 (bottom) of the 16-pin edge connector on front of unit.

2. Figure out the `rma` user root backdoor password for your router serial number. Only seems to be present and/or installed on earlier firmwares, like maybe 10.5 or 10.6?

Look into earlier firmwares into how the password is generated, in /sbin/sysinit: create_rma_user function. Involves /usr/bin/pseudopasswd which does some kind of shift/stream ciphering "encryption" to an input string, which part it of is the serial number. Algorithm can probably be reverse engineered (looks like xor'ing and byte swapping/rotation), however it's pretty easy to just run pseudopasswd directly in qemu-mips-static emulator on linux pc. (Involves copying qemu-mips-static binary into, and chrooting to squashfs root)

3. Once you have rma user password, find and downgrade to earlier firmware, probably 10.5 (or maybe 10.6), at https://192.168.1.254/upgrade

Once rebooted into older firmware, you should be able to login to serial console as rma user with password determined from step 2.

From here you are in, and some interesting things to explore.

rma user gets removed/changed in later fws, and root passwd also seems to get "fixed" on some fws/boots. Create a back-door root user of some other name, and it does not seem to get removed.

Dropbear ssh can be enabled with `debugsys --sshdon` (but may be disabled in newer fws, see below about trusteng_cert)

debugsys --info dumps out some interesting info

Filesystem seems to be some proprietary "opentl" filesystem on top of mtd. The main/last mtd partition seems to be on /dev/opentla, and various "partitions" are like /dev/opentlaN. This might have something to do with the multiple images/settings partitions, e.g. "dual flash" etc.

paramtool -show

seems to dump out some parameters, in what looks like one of the parameter 64k partitions in flash, /dev/opentla1 and /dev/opentla2

most interesting to me are device_p12 and lightspeed_p12 which are base64 encoded pkcs12 cert chains, which are encrypted with a string of device key + special string inside librgw_compat:librgw_sec_get_shroud_key() + serialnum - google for more info. lightspeed_p12 is the correct cert/key for doing eapol auth on wan port.

/sys/module/board/parameters/* have lots of neat info about device

cmc - config mgmt client (for cmd ?)

`cmc get cmlegacy` dumps out lots of config in a tree-like format

lmc - some kind of client into lmd - still not sure exactly what it does, something about various modules (might be able to somehow get eapol stuff to do more debug logging, and perhaps spill some secrets about the eapol stuff it's doing)

cwmc - some kind of client into cwmd, probably CWMP/TR-069 related daemon?

Starting around fw 11.6+ serial port is disabled on bootup by /etc/init.d/S01UART by poking on some broadcom gpios. Doesn't do this if param value of `gw:trust_engcert` is `true`

Not sure exactly what param `trusteng_cert` does but maybe some kind of engineering testing/qualification mode for some devices. Having this enabled seems to do a few things in a few places, like allow dropbear and serial ports to remain enabled, and also maybe how pkgc (package mgr client?) decides whether to check pkg signatures? But I'm sure that ATT can see this remotely via the phoning home that various config mgmt daemons do.

Newer versions of fw also seem to move dropbear sshd (if running) from 22 to some higher numbered port (like 51002).

USB drive automounts on /rwdata/sda1/

and so much more

update:

there is a faster, and easier way to grab the certs - just run this from /tmp or /rwdata/sda1 (usb):

https://pastebin.com/qK8A3rZt

--------

Happy hacking yall.

Author

Title

Language

Your paste - Paste your paste here

Getting root console on Pace 5268AC ATT router  (aka RG: Residential Gateway)
(warning: super advanced hackers only at this point)

Assumes you are familiar with advanced device hacking, e.g. soldering, serial uarts, linux, etc.
Assumes you know how to run a mips binary on an intel pc, e.g. w/ qemu-mips-static
Assumes you know how to binwalk/unpack att firmware, and explore their squashfs roots, etc.
Assumes you can use Cutter to disassemble mips binaries/libs, and generally understand what is going on

First of all, if you don't understand any of this - STOP - wait til others explore the cave safely and install guideropes (i.e. easier methods).
You can and/or will likely brick your router, etc. Pick up a used router on ebay to experiment with.
If you are a foolish adventurer, continue on.

You'll probably want to keep the router disconnected from internet/att WAN til you have what you want. When you connect it back up, it will want to auto-upgrade back to latest version which likes to disable dropbear sshd, disable serial console, remove rma user, etc. ;)

1. Get access to console serial port. RX/TX are pins 13 &amp; 15 (bottom) of the 16-pin edge connector on front of unit.

2. Figure out the `rma` user root backdoor password for your router serial number. Only seems to be present and/or installed on earlier firmwares, like maybe 10.5 or 10.6?
Look into earlier firmwares into how the password is generated, in /sbin/sysinit: create_rma_user function. Involves /usr/bin/pseudopasswd which does some kind of shift/stream ciphering &quot;encryption&quot; to an input string, which part it of is the serial number. Algorithm can probably be reverse engineered (looks like xor'ing and byte swapping/rotation), however it's pretty easy to just run pseudopasswd directly in qemu-mips-static emulator on linux pc. (Involves copying qemu-mips-static binary into, and chrooting to squashfs root)

3. Once you have rma user password, find and downgrade to earlier firmware, probably 10.5 (or maybe 10.6), at https://192.168.1.254/upgrade
Once rebooted into older firmware, you should be able to login to serial console as rma user with password determined from step 2.

From here you are in, and some interesting things to explore.

rma user gets removed/changed in later fws, and root passwd also seems to get &quot;fixed&quot; on some fws/boots. Create a back-door root user of some other name, and it does not seem to get removed.

Dropbear ssh can be enabled with `debugsys --sshdon` (but may be disabled in newer fws, see below about trusteng_cert)
debugsys --info dumps out some interesting info

Filesystem seems to be some proprietary &quot;opentl&quot; filesystem on top of mtd. The main/last mtd partition seems to be on /dev/opentla, and various &quot;partitions&quot; are like /dev/opentlaN. This might have something to do with the multiple images/settings partitions, e.g. &quot;dual flash&quot; etc.

paramtool  -show
seems to dump out some parameters, in what looks like one of the parameter 64k partitions in flash, /dev/opentla1 and /dev/opentla2
most interesting to me are device_p12 and lightspeed_p12 which are base64 encoded pkcs12 cert chains, which are encrypted with a string of device key + special string inside librgw_compat:librgw_sec_get_shroud_key() + serialnum - google for more info. lightspeed_p12 is the correct cert/key for doing eapol auth on wan port.

/sys/module/board/parameters/* have lots of neat info about device

cmc - config mgmt client (for cmd ?)
`cmc get cmlegacy` dumps out lots of config in a tree-like format

lmc - some kind of client into lmd - still not sure exactly what it does, something about various modules (might be able to somehow get eapol stuff to do more debug logging, and perhaps spill some secrets about the eapol stuff it's doing)

cwmc - some kind of client into cwmd, probably CWMP/TR-069 related daemon?

Starting around fw 11.6+ serial port is disabled on bootup by /etc/init.d/S01UART by poking on some broadcom gpios. Doesn't do this if param value of `gw:trust_engcert` is `true`

Not sure exactly what param `trusteng_cert` does but maybe some kind of engineering testing/qualification mode for some devices. Having this enabled seems to do a few things in a few places, like allow dropbear and serial ports to remain enabled, and also maybe how pkgc (package mgr client?) decides whether to check pkg signatures? But I'm sure that ATT can see this remotely via the phoning home that various config mgmt daemons do.

Newer versions of fw also seem to move dropbear sshd (if running) from 22 to some higher numbered port (like 51002).

USB drive automounts on /rwdata/sda1/

and so much more

update:
there is a faster, and easier way to grab the certs - just run this from /tmp or /rwdata/sda1 (usb):
https://pastebin.com/qK8A3rZt

--------

Happy hacking yall.

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

rooting Pace 5268AC router

Reply to "rooting Pace 5268AC router"